Login

Tag Archives: RIPS Technologies

30 Nov 2018

Not Really a WordPress Plugin Vulnerability – Week of November 30, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Arbitrary File Deletion Vulnerability in WP-DBManager

When you combine two entities that don’t seem to be concerned about the accuracy of their claims of vulnerabilities related to WordPress not surprisingly the results could be bad. Earlier this week the WPScan Vulnerability Database added this entry for a claimed arbitrary file deletion vulnerability in the plugin WP-DBManager: [Read more]

7 Nov 2018

RIPS Technologies and BleepingComputer Creator Claim That Plugin’s Functionality Not Working When Disabled is WordPress “Design Flaw”

We generally avoid security journalism as it frequently involves widely misleading to flat-out falsehoods, one example of that being something we discussed just a couple of weeks ago. One of the security journalism outlets we mentioned in that post was the BleepingComputer, so when a Google news alert let us know of another story related to the security of WordPress plugins from them it wasn’t surprising that it might not be totally accurate. The title of the story is WordPress Design Flaw + WooCommerce Vulnerability Leads to Site Takeover, though there doesn’t appear to be a design flaw in WordPress or a site takeover that actually occurred.

The “design flaw” is first described as one with the “WordPress permission system” and then as: [Read more]